Introduction

Through the years computers are being faster and faster, and so with it the encryption of passwords have to more secure. In this example we convert passwords stored in MySQL with basic CRYPT-encryption to SSHA256-encryption (Salted SHA256).

We used php to generate the new passwords, but you can use any language you want

Example

Copy the CRYPT-passwords to a new field (newpw) but with the prefix {CRYPT} . This might start you off in the right direction for mysql: UPDATE `your_table` SET field_name = CONCAT('{CRYPT}', field_name)

Change dovecot-sql.conf, so it will look at the new fields

# Comment default_pass_scheme so dovecot will look at the prefix
# default_pass_scheme = CRYPT
# update your password_query so it will look at the new field
# AND add a %w field in the queury so we have the plain password in our Enviroment
password_query = SELECT id as user, newpw as password, home as userdb_home, \
uid as userdb_uid, gid as userdb_gid, '%w' as userdb_plain_pass FROM users WHERE id = '%u'
# Alternatively, here is another config that worked for me with SHA512-CRYPT (note: uncomment the lines relevant for your setup):
#
# driver = mysql
# connect = host=127.0.0.1 user=mailauth password=secret dbname=postfixadmin
# default_pass_scheme = SHA512-CRYPT
# password_query = SELECT username AS user, password, CONCAT('/var/mail/vdomains/', maildir) as userdb_home, 'vmail' as userdb_uid, 'vmail' as userdb_gid, '%w' as userdb_plain_pass FROM mailbox WHERE username = '%u'
# user_query = SELECT CONCAT('/var/mail/vdomains/', maildir) AS home, 'vmail' AS uid, 'vmail' AS gid, password FROM mailbox WHERE username = '%u' AND active = 1

Make sure you configured

userdb {
driver = prefetch
}

Now reload dovecot, and see everything is still working

Make the postlogin-script (which is executed after login) and save it as /usr/local/etc/popafter.sh

As of now each user which connects through POP will convert their password to SSHA256. If you look at the database you will see for example {SSHA256.hex}fb0e7f39c88c1d7017169f7f6b9cd6977d1e3291149382b90da4a390a31e81bab3cdced8 instead off {CRYPT}$1$.gvrgDqc$Slvoapz5zkpVmmJAxi.0k1

If you are using IMAP, you will need to add the same kind of commands (i.e. imap-postlogin) to your config, too.

When every record is updated you can update dovecot.conf (remove the extra lines), and dovecot-sql (remove the %w-part).

1# Here is an alterate version that I used with SHA512-CRYPT and bash (note: uncomment the lines relevant for your setup including the ones I added for debugging purposes if needed): 2#!/usr/local/bin/bash 3# echo "USER: $USER" >> /tmp/log 4# echo "PLAIN-PASS: $PLAIN_PASS" >> /tmp/log 5DOVECOTPW=$(/usr/local/bin/doveadm pw -s SHA512-CRYPT -p "$PLAIN_PASS") 6# echo $DOVECOTPW >> /tmp/log 7/usr/local/etc/convertpw.php $USER$DOVECOTPW 8exec"$@" 9# note: if enabled, some of the lines above will log passwords to /tmp/log. Create the file first, and delete it when no longer needed - 10# this while approach is a security risk and should *never* be done in a production system. I had to use it for troubleshooting for a very limited period of time. 11# 12